1*e4a36f41SAndroid Build Coastguard Workertype virtualizationservice, domain, coredomain; 2*e4a36f41SAndroid Build Coastguard Workertype virtualizationservice_exec, system_file_type, exec_type, file_type; 3*e4a36f41SAndroid Build Coastguard Worker 4*e4a36f41SAndroid Build Coastguard Worker# The domain needs to be a 'mlstrustedsubject' to change the memlock rlimit of 5*e4a36f41SAndroid Build Coastguard Worker# the virtualizationmanager domain running at a more constrained MLS level. 6*e4a36f41SAndroid Build Coastguard Workertypeattribute virtualizationservice mlstrustedsubject; 7*e4a36f41SAndroid Build Coastguard Worker 8*e4a36f41SAndroid Build Coastguard Worker# When init runs a file labelled with virtualizationservice_exec, run it in the 9*e4a36f41SAndroid Build Coastguard Worker# virtualizationservice domain. 10*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(virtualizationservice) 11*e4a36f41SAndroid Build Coastguard Worker 12*e4a36f41SAndroid Build Coastguard Worker# Let the virtualizationservice domain use Binder. 13*e4a36f41SAndroid Build Coastguard Workerbinder_use(virtualizationservice) 14*e4a36f41SAndroid Build Coastguard Worker 15*e4a36f41SAndroid Build Coastguard Worker# Register our services with ServiceManager. 16*e4a36f41SAndroid Build Coastguard Workeradd_service(virtualizationservice, virtualization_service) 17*e4a36f41SAndroid Build Coastguard Workeris_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, ` 18*e4a36f41SAndroid Build Coastguard Worker add_service(virtualizationservice, virtualization_maintenance_service) 19*e4a36f41SAndroid Build Coastguard Worker') 20*e4a36f41SAndroid Build Coastguard Worker 21*e4a36f41SAndroid Build Coastguard Workeris_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, ` 22*e4a36f41SAndroid Build Coastguard Worker # Let virtualizationservice find and communicate with vfio_handler. 23*e4a36f41SAndroid Build Coastguard Worker allow virtualizationservice vfio_handler_service:service_manager find; 24*e4a36f41SAndroid Build Coastguard Worker binder_call(virtualizationservice, vfio_handler) 25*e4a36f41SAndroid Build Coastguard Worker') 26*e4a36f41SAndroid Build Coastguard Worker 27*e4a36f41SAndroid Build Coastguard Workeris_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, ` 28*e4a36f41SAndroid Build Coastguard Worker # Let virtualizationservice find and communicate with vmnic. 29*e4a36f41SAndroid Build Coastguard Worker allow virtualizationservice vmnic_service:service_manager find; 30*e4a36f41SAndroid Build Coastguard Worker binder_call(virtualizationservice, vmnic) 31*e4a36f41SAndroid Build Coastguard Worker allow virtualizationservice vm_tethering_service:service_manager find; 32*e4a36f41SAndroid Build Coastguard Worker') 33*e4a36f41SAndroid Build Coastguard Worker 34*e4a36f41SAndroid Build Coastguard Worker# Allow the virtualizationservice domain to serve a remotely provisioned component for 35*e4a36f41SAndroid Build Coastguard Worker# pVM remote attestation. 36*e4a36f41SAndroid Build Coastguard Workerhal_server_domain(virtualizationservice, hal_remotelyprovisionedcomponent_avf) 37*e4a36f41SAndroid Build Coastguard Worker 38*e4a36f41SAndroid Build Coastguard Worker# Allow the virtualizationservice to inspect whether remote attestation is supported 39*e4a36f41SAndroid Build Coastguard Worker# through the system property. 40*e4a36f41SAndroid Build Coastguard Workerget_prop(virtualizationservice, avf_virtualizationservice_prop) 41*e4a36f41SAndroid Build Coastguard Worker 42*e4a36f41SAndroid Build Coastguard Worker# Allow calling into the system server to find "permission_service". 43*e4a36f41SAndroid Build Coastguard Workerbinder_call(virtualizationservice, system_server) 44*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice permission_service:service_manager find; 45*e4a36f41SAndroid Build Coastguard Worker 46*e4a36f41SAndroid Build Coastguard Worker# Allow virtualizationservice to retrieve the remotely provisioned keys from rkpd. 47*e4a36f41SAndroid Build Coastguard Workerbinder_call(virtualizationservice, remote_provisioning_service_server) 48*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice remote_provisioning_service:service_manager find; 49*e4a36f41SAndroid Build Coastguard Worker 50*e4a36f41SAndroid Build Coastguard Worker# Allow virtualizationservice to manage VM secrets via Secretkeeper. 51*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(virtualizationservice, hal_secretkeeper) 52*e4a36f41SAndroid Build Coastguard Worker 53*e4a36f41SAndroid Build Coastguard Worker# Let virtualizationservice remove memlock rlimit of virtualizationmanager. This is necessary 54*e4a36f41SAndroid Build Coastguard Worker# to mlock VM memory and page tables. 55*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice self:capability sys_resource; 56*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice virtualizationmanager:process setrlimit; 57*e4a36f41SAndroid Build Coastguard Worker 58*e4a36f41SAndroid Build Coastguard Workeris_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, ` 59*e4a36f41SAndroid Build Coastguard Worker # To provide display service to an app to get surface. 60*e4a36f41SAndroid Build Coastguard Worker # TODO(b/332677707): remove them when display service uses binder RPC. 61*e4a36f41SAndroid Build Coastguard Worker allow virtualizationservice vmlauncher_app:binder transfer; 62*e4a36f41SAndroid Build Coastguard Worker') 63*e4a36f41SAndroid Build Coastguard Worker 64*e4a36f41SAndroid Build Coastguard Worker# Let virtualizationservice set the owner of a VM's temporary directory. 65*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice self:capability chown; 66*e4a36f41SAndroid Build Coastguard Worker 67*e4a36f41SAndroid Build Coastguard Worker# Let virtualizationservice create and delete temporary directories of VMs. To remove old 68*e4a36f41SAndroid Build Coastguard Worker# directories, it needs the permission to unlink the files created by virtualizationmanager. 69*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice virtualizationservice_data_file:dir create_dir_perms; 70*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice virtualizationservice_data_file:sock_file unlink; 71*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice virtualizationservice_data_file:file create_file_perms; 72*e4a36f41SAndroid Build Coastguard Worker 73*e4a36f41SAndroid Build Coastguard Worker# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from 74*e4a36f41SAndroid Build Coastguard Worker# crosvm to the console 75*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice adbd:fd use; 76*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice adbd:unix_stream_socket { read write }; 77*e4a36f41SAndroid Build Coastguard Worker 78*e4a36f41SAndroid Build Coastguard Worker# Allow to connnect to and run VirtMgr to start the service VM for remote attestation. 79*e4a36f41SAndroid Build Coastguard Workervirtualizationservice_use(virtualizationservice) 80*e4a36f41SAndroid Build Coastguard Worker 81*e4a36f41SAndroid Build Coastguard Worker# Allow virtualizationservice to read and write in the apex data directory 82*e4a36f41SAndroid Build Coastguard Worker# /data/misc/apexdata/com.android.virt. Also allow checking of the parent directory 83*e4a36f41SAndroid Build Coastguard Worker# (needed for SQLite database creation). 84*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice apex_module_data_file:dir { search getattr }; 85*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice apex_virt_data_file:dir create_dir_perms; 86*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice apex_virt_data_file:file create_file_perms; 87*e4a36f41SAndroid Build Coastguard Worker 88*e4a36f41SAndroid Build Coastguard Worker# Accept vsock connection from the guest VMs to singleton services 89*e4a36f41SAndroid Build Coastguard Worker# such as the guest tombstone server. 90*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice self:vsock_socket { create read getattr write setattr lock append bind getopt setopt shutdown map listen accept }; 91*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -virtualizationservice -dumpstate } virtualizationservice:vsock_socket *; 92*e4a36f41SAndroid Build Coastguard Worker 93*e4a36f41SAndroid Build Coastguard Worker# Allow virtualizationservice to read/write its own sysprop. Only the process can do so. 94*e4a36f41SAndroid Build Coastguard Workerset_prop(virtualizationservice, virtualizationservice_prop) 95*e4a36f41SAndroid Build Coastguard Worker 96*e4a36f41SAndroid Build Coastguard Worker# Allow writing stats to statsd 97*e4a36f41SAndroid Build Coastguard Workerunix_socket_send(virtualizationservice, statsdw, statsd) 98*e4a36f41SAndroid Build Coastguard Worker 99*e4a36f41SAndroid Build Coastguard Worker# Allow virtualization service to talk to tombstoned to push guest tombstones 100*e4a36f41SAndroid Build Coastguard Workerunix_socket_connect(virtualizationservice, tombstoned_crash, tombstoned) 101*e4a36f41SAndroid Build Coastguard Worker 102*e4a36f41SAndroid Build Coastguard Worker# Append to tombstone files passed as fds from tombstoned 103*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice tombstone_data_file:file { append getattr }; 104*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice tombstoned:fd use; 105*e4a36f41SAndroid Build Coastguard Worker 106*e4a36f41SAndroid Build Coastguard Worker# Allow virtualizationservice to check if VFIO is supported 107*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice vfio_device:chr_file getattr; 108*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice vfio_device:dir r_dir_perms; 109*e4a36f41SAndroid Build Coastguard Worker 110*e4a36f41SAndroid Build Coastguard Worker# Allow virtualizationservice to access VM DTBO via a file created by virtualizationmanager. 111*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice virtualizationmanager:fd use; 112*e4a36f41SAndroid Build Coastguard Worker 113*e4a36f41SAndroid Build Coastguard Worker# Allow virtualizationservice to access vendor_configs_file to get the list of assignable devices. 114*e4a36f41SAndroid Build Coastguard Workerr_dir_file(virtualizationservice, vendor_configs_file) 115*e4a36f41SAndroid Build Coastguard Worker 116*e4a36f41SAndroid Build Coastguard Workerneverallow { 117*e4a36f41SAndroid Build Coastguard Worker domain 118*e4a36f41SAndroid Build Coastguard Worker -init 119*e4a36f41SAndroid Build Coastguard Worker -virtualizationservice 120*e4a36f41SAndroid Build Coastguard Worker} virtualizationservice_prop:property_service set; 121*e4a36f41SAndroid Build Coastguard Worker 122*e4a36f41SAndroid Build Coastguard Workerneverallow { 123*e4a36f41SAndroid Build Coastguard Worker domain 124*e4a36f41SAndroid Build Coastguard Worker -init 125*e4a36f41SAndroid Build Coastguard Worker -virtualizationmanager 126*e4a36f41SAndroid Build Coastguard Worker -virtualizationservice 127*e4a36f41SAndroid Build Coastguard Worker} virtualizationservice_data_file:file { open create }; 128*e4a36f41SAndroid Build Coastguard Worker 129*e4a36f41SAndroid Build Coastguard Workerneverallow virtualizationservice { 130*e4a36f41SAndroid Build Coastguard Worker domain 131*e4a36f41SAndroid Build Coastguard Worker -virtualizationmanager 132*e4a36f41SAndroid Build Coastguard Worker -virtualizationservice 133*e4a36f41SAndroid Build Coastguard Worker # TODO(b/332677707): remove them when display service uses binder RPC. 134*e4a36f41SAndroid Build Coastguard Worker -crosvm 135*e4a36f41SAndroid Build Coastguard Worker}:process setrlimit; 136*e4a36f41SAndroid Build Coastguard Worker 137*e4a36f41SAndroid Build Coastguard Workeris_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, ` 138*e4a36f41SAndroid Build Coastguard Worker # Allow virtualizationservice to deal with file descriptors of TAP interfaces. 139*e4a36f41SAndroid Build Coastguard Worker allow virtualizationservice tun_device:chr_file rw_file_perms; 140*e4a36f41SAndroid Build Coastguard Worker allow virtualizationservice vmnic:fd use; 141*e4a36f41SAndroid Build Coastguard Worker') 142*e4a36f41SAndroid Build Coastguard Worker 143*e4a36f41SAndroid Build Coastguard Workeris_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, ` 144*e4a36f41SAndroid Build Coastguard Worker # Only virtualizationservice and virtualizationmanager can communicate to vfio_handler 145*e4a36f41SAndroid Build Coastguard Worker neverallow { domain -virtualizationmanager -virtualizationservice -servicemanager } vfio_handler:binder call; 146*e4a36f41SAndroid Build Coastguard Worker') 147